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Can software do encryption job? 


In the face of standards agency’s recognition of hardware only 
and objections of chip makers, versions are appearing 


by Deborah Williams, McGraw-Hill Publications Co., and Harvey J. Hindin, Communications & Microwave Editor 


When the National Bureau of Stan- 
dards published its data encryption 
standard (DES) three years ago, it 
stated that only hardware implemen- 
tations would be certified. Although 
there was nothing in the algorithm 
precluding it, software was consid- 
ered too slow, difficult to validate, 
and subject to unauthorized modifi- 
cation. So hardware manufacturers 
took advantage of the opportunity to 
develop special DES chips. 

But undaunted by the lack of NBS 
blessing, software experts continued 
to work on their versions and the 
results are coming in. For example, 
Richard Gumpertz, an associate in 


the computer science department at 
Carnegie-Mellon University in Pitts- 
burgh, has implemented a DES pro- 
gram for a variety of computers that 
gives results as good as or better 
than those of existing hardware. 

Not everyone is happy with this 
development. First, there is an ongo- 
ing controversy over why the NBS did 
not certify software in the first place; 
also, hardware manufacturers ques- 
tion software’s security and decry its 
impact on their market. On the 
bright side, industry experts agree 
that fast software will expand the 
sluggish encryption market itself 
[. Electronics , June 5, p. 96]. 


Not against software per se, the 
NBS “uses software for DES testing,’’ 
says Dennis Branstad, director of 
NBS computer security there. He 
adds that “it’s not impossible that 
the bureau would consider a DES for 
software.” 

Why the delay? The NBS original- 
ly estimated that the software imple- 
mentation of a standard 64-bit data 
block would take 30 to 200 microsec- 
onds. That is the equivalent of a data 
rate of 0.3 to 2.0 kilobits per second, 
which is not at all suitable for high- 
speed communications or computer 
links. But Gumpertz determined that 
one of the reasons a programmed 



Fast approaches. Gumpertz’s program yields throughputs in the popular block-cipher mode that are on a par with hardware speeds (compare 
bottom six bars with top seven). The time to get data to and from the computer is not included in the calculation, nor are computer interrupts. 
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implementation is slow is that the 
typical computer is not equipped 
with the right data paths for the 
necessary DES algorithm manipula- 
tions. 

Making fast software harder to 
develop are the initial and final per- 
mutation steps in the algorithm. 
These two mathematical manipula- 
tions, difficult to implement in soft- 
ware, greatly increase a program’s 
execution time. Gumpertz suggests 
that they were included in the DES 
both to ease some hardware designs 
and to discourage software. 

The algorithm’s 16 internal ex- 
pansion cycles, each of which 
requires eight arithmetic manipula- 
tions, present another obstacle. For 
Gumpertz this was the principal bot- 
tleneck to a fast program and took 
up more than half the execution 
time. “The instruction sets of typical 
computers do not offer much assist- 
ance in implementing the expansion 
operations,’’ he explains. 

Gumpertz’s program finally over- 
came all these obstacles without 
needing much computer space. Only 
150 bytes are required for the data, 
and 2.5 kilobytes are needed for the 
program. “The program does not 
take up much space because most of 
the time is spent doing the same 
thing over and over,” he says. “Fur- 
thermore, few temporary locations 
are needed for intermediate results,” 
he concludes. 

Same difference. For Steven Kent, 
too, software is the way to go. Asked 
to compare his approach with Gum- 
pertz’s, the research assistant at the 
Massachusetts Institute of Technolo- 
gy in Cambridge, Mass., says that 
his group’s program does not com- 
bine operations in the same way nor 
does it have the problem with the 
expansion cycles. 

“Our timing is fairly compatible 
with Gumpertz’s but our implemen- 
tation doesn’t have the same combi- 
nation of operations. I assure you 
that the expansion steps don’t have 
to be a limitation to a fast DES. 
Gumpertz is doing it just one way of 
the many possible,” he says. Kent’s 
group sold an IBM System/370 pro- 
gram to a mainframe manufacturer 
for $10,000, but he says that similar 
versions could be sold for less. 

In contrast to Gumpertz and 
Kent, Herbert Bright, president of 


Computation Planning Inc. in Bcth- 
esda, Md., has been marketing soft- 
ware-encryption systems since 1975. 
His $4,700 Desqik package does the 
algorithm at 38 kilobytes per second 
on machines in the Amdahl 470V/6 
class. He says business in the first 
four months of 1980 was better than 
for the last four and a half years, 
although he will not give figures. 

Of course, some of Gumpertz’s 
assumptions are challenged by the 
hardware people. Says Ken Cohen, 
security product line manager at 
Western Digital Corp. of Newport 
Beach, Calif., “I think Gumpertz 
has demonstrated that it is possible 
t q write an efficient DES program, 
but I question how fast some of the 
subroutines — particularly in the 
Cray- 1— would be in an interrupt 
environment. In the real world, that 
machine has to be doing things such 
as collecting data from a communi- 
cations line or a disk, decrypting it, 
and passing it off to an applications 
program. What happens to the speed 
of the algorithm in that environ- 
ment, what happens when encryp- 
tion is fighting for priority in the 
stack of jobs to be run and the pro- 
cessor is handling many input/out- 
put interrupts?” 

Occasional. Cohen also questions 
the enormous cost of running a 
machine when inexpensive hardware 
Is available. Gumpertz acknowledges 
that it may not be fair to compare 
the $10 million Cray to a chip. But 
he suggests that a general-purpose 
processor would be more economical 
if encryption is not often used. 

The occasional-use problem is 
only one of several reasons to consid- 
er software in the first place. Per- 
haps more important, according to 
Gumpertz, the appropriate interfac- 
ing circuitry may not be available. 

Gumpertz adds that once software 
encryption is installed, it can be used 
on data other than that being trans- 
mitted or received over one particu- 
lar channel. “This flexibility can be 
very useful. Consider, for example, 
data on a magnetic tape. Even if 
there is already DES hardware on 
site, it probably has been wired into 
the communications system and so 
cannot be used for this purpose. On 
the other hand, a subroutine can 
trivially be used to massage data 
before writing it on tape,” he says. □ 
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The Mathematics 
of Public-Key Cryptography 

The search for privacy in an age of electronic communications has 
given rise to new methods of encryption. These methods are more 
practical than older ones and are mathematically more interesting 


by Martin E. Heilman 


T he electronic communications 
systems that are proliferating 
throughout modern society offer 
speed, accuracy and ever diminishing 
cost. They also present serious problems 
of security. As the ordinary transactions 
conducted in person, on the telephone or 
by written correspondence have come 
increasingly to be conducted by new 
kinds of electronic systems the suscepti- 
bility of organizations and individuals 
to eavesdropping and forgery has grown 
dramatically. One way to prevent tam- 
pering with the new electronic systems 
and to protect the vast quantities of pri- 
vate information such as the credit rec- 


ords and medical histories now stored in 
computer data banks is to resort to cryp- 
tosystems: methods for encrypting, or 
transforming, information so that it is 
unintelligible and therefore useless to 
those who are not meant to have access 

to it 

Encryption is a special form of com- 
putation, and almost all modern cryp- 
tosystems depend on difficulty of com- 
putation for their security; they effect 
transformations of data so complicated 
that it is beyond the economic means of 
an eavesdropper to reverse the process. 
(Accounts of intelligence operations 
during World War II reveal that as re- 


cently as 35 years ago systems offering 
this type of security were not widely 
available. Since then the cost of com- 
putation has dropped by a factor of 
about a million, so that the equipment 
necessary for secure encryption is now 
reasonably priced.) Given unlimited 
computing power (an unrealistic as- 
sumption) such computationally secure 
systems could be broken, but in practice 
they appear to be unbreakable. 

At present mathematicians lack the 
tools for proving systems to be com- 
putationally secure, and the history of 
cryptography demonstrates all too well 
that supposedly unbreakable systems 
often have hidden flaws. It is hoped that 
discoveries in complexity theory, a 
branch of mathematics that studies the 
difficulty (or cost) of computation, will 
eventually provide the tools needed to 
establish provably secure cryptosys- 
tems: computationally secure systems 
that can be guaranteed to be free of hid- 
den flaws. In the meantime a group of 
mathematical problems characterized 
by a certain kind of computational in- 
tractability are serving as the basis of a 
new class of encryption procedures that 
are in many ways superior to current 
techniques. The proposed new systems, 
which were first put forward by Ralph 
Merkle, Whitfield Diffie and me at Stan- 
ford University, are termed public-key 
cryptosystems. To understand the sig- 
nificance of the term it is necessary to 
consider briefly how methods of encryp- 
tion have developed historically. 

Any cryptographic technique, such as 
the substitution and transposition 
of symbols, that operates on a message 
without regard to its linguistic structure 
is called a cipher and is said to generate 
a ciphertext. ( Codes, which I shall not 
discuss here, operate on larger linguistic 
units such as words or phrases.) More 
precisely, the basis of any cipher is an 
invertible function: an operation (per- 
formed by the sender of the message) 
that converts a plaintext, or unenci- 
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CRYPTOGRAPHIC SYSTEM is a mathematical system for encrypting, or transforming, in- 
formation so that it is unintelligible and therefore useless to those who are not meant to have 
access to it The encryption process generally begins with the conversion of the plaintext, or un- 
enciphered message, into a string of numbers by means of a digital “alphabet” such as one of 
those shown here. In some cryptosystems it is more convenient to work with binary numbers, 
and so in the rather simple alphabet shown at the top five bits (binary digits) have been allo- 
cated to represent each letter, number or punctuation mark in the plaintext. Each bit can take 
two values (0 or 1), making a total of 2 5 , or 32, characters in this alphabet In other crypto- 
systems it is simpler to think in terms not of a binary (base-2) number system but a decimal 
(base-10) one. In alphabet shown at bottom two decimal digits have been allocated for each 
plaintext symbol, providing total of 10 2 , or 100, characters. (Some of these may not be needed.) 


C and the a, s. The receiver must solve 
the same knapsack problem, but to sim- 
plify the task he has additional informa- 
tion: his secret trapdoor parameters and 
deciphering key. 

'"Phese steps should be made clear by a 
J- simple example [see illustration on 
page 755]. Consider a plaintext message 
in which the first word is how. In bina- 
ry form the message begins 0011101- 
1101011011010. (This binary string, 
in which the last five-bit block repre- 
sents the space between how and the 
next word in the message, is generat- 
ed by the five-bit binary alphabet de- 
scribed above.) Now assume that the 
intended receiver’s public enciphering 
key is a = (2,292, 1,089, 211, 1,625, 
1,283, 599, 759, 315, 2,597, 2,463), or 
a x = 2,292, a 2 = 1,089 and so on. Here 
n equals 10, and the first block of infor- 
mation, which consists of the first n bits 
in the binary plaintext, is x = (0, 0, l x 1, 
1, 0, 1, 1, 1, 0). It is enciphered, then, 
as C = a x Xi 4- ... 4- a n x n . or C = 
(2,292X0) + (1,089X0) + (211 X 1)4- 
(1,625 X 1) + (1,283 Xl) + (599 X 0) 
+ (759 X 1) + (315 X 1) 4- (2,597 X 1) 
4- (2,463 X 0). Therefore C equals 
6,790, and to decipher the message it 
is necessary to determine which of the 
a , s add up to 6,790. (If a, is included 
in the sum, x, is 1 and vice versa.) 

None of the known methods for solv- 
ing the knapsack problem is substantial- 
ly less time-consuming than conducting 
an exhaustive search, that is, adding up 
all the 2 n possible subsets of the a, s to 
see which subset yields C. In the exam- 
ple given above, where the number of 
elements n is equal to 10, this might be 
considered a workable approach. Some- 
one intercepting C could try all the 2 10 , 
or 1,024, possible combinations of the 
publicly listed a, s and thereby recover 
the vector x. In this instance the number 
of elements in a is too small to provide 
real secrecy. The knapsack problem is 
an NP one, however, and therefore the 
computational difficulty of all known 
solution methods rapidly “blows up.” 
When the number of elements n is, say, 
1,000, the number of possible subsets 
2 1 - 000 is greater than the number of at- 
oms in the known universe. Deciphering 
by checking 2 1 - 000 different subsets is 
quite impossible, and so C effectively 
shields the secret information x. On the 
other hand, enciphering 1,000 bits of in- 
formation in this system is quite effi- 
cient, requiring no more than 1,000 ad- 
ditions. 

So far I have described what appears 
to be a one-way function: apparently no 
one, including the receiver, will be able 
to recover x. If the elements of vector a 
-v are chosen at random, this is exactly the 
type of system that results. Even in this 
simple example, however, a trapdoor 
has been built in. The vector a has been 
structured in such a way that with a 
small amount of additional information 



PROBLEMS IN THE CLASS NP (which stands for nondeterministic, polynomial time) are 
characterized by the fact that although it is easy to check a nondeterministic, or guessed, solu- 
tion, it is hard to find a correct solution: As the size n of an NP problem increases, the number 
of computational steps and hence the time required to check a solution increase in propor- 
tion to a polynomial function of n such as n 2 ( black curve ), but all known methods of finding a 
solution increase in proportion to a more rapidly growing function of n, typically an exponen- 
tial one such as 2 n ( colored curve). Exponential functions increase far more rapidly, and when 
n is sufficiently large, NP problems become computationally infeasible. Hence they lend them- 
selves readily to the design of one-way functions: easily computed functions whose inverses 
are infeasible to compute. In some cases such problems can be developed into trapdoor one- 
way functions: easily computed functions whose inverses are infeasible to compute unless cer- 
tain facts employed in design of functions are known. Trapdoor one-way functions serve as ba- 
sis of public-key cryptosystems: public key specifies easily computed function, which is infea- 
sible to invert unless one knows secret key; that key specifies easily computed inverse function. 


x can be derived from C much more 
rapidly than by an exhaustive search. As 
I have noted, not all NP problems lend 
themselves to the insertion of such a 
trapdoor. Here the trapdoor can be de- 
vised because there are certain vectors 
for which the knapsack problem is not 
difficult to solve. The receiver takes one 
of those special vectors a' and disguises 
it, publishing the resulting ordinary- 
looking vector a in the public file of en- 
ciphering keys. The trapdoor informa- 
tion enables him to move back and forth 
between a difficult knapsack problem in- 
volving a and the easy but equivalent 
knapsack problem involving a'. 

T o be more precise, in generating his 
public vector a the receiver begins 
by choosing a vector a' = (a \\ ..., a n ') 
in which each element a is larger than 
the sum of the preceding elements 
a\ 4- a 2 4- ... For example, 

if a ' equals (3, 5, 1 1, 20, 41, 83, 169, 
340, 679, 1,358), then a 2 \ which equals 
5, is greater than a |', which equals 3; 
a 3 ', which equals 11, is greater than 
<*\ + o 2 \ which equals 3 + 5, or 8, and 
so on. Now, consider a ciphertext 
C‘ = 1,260 that was generated with this 
special vector a’. In other words, C' 
equals a’ • x' for some binary vector 


x' = ( x„'), that is, 1,260 equals 
3*!' 4- 5;c 2 ' + 1 1*3' + 20*4' + 4IX5' 4- 
83* 6 ' + 169*7' 4- 340* 8 ' + 679* 9 ' + 
1,358* 10 '. 

Once again the problem of decipher- 
ment is equivalent to solving a knapsack 
problem, but in this instance because of 
the special property of the vector a' the 
solution x' is easily determined. To be- 
gin with, a l0 \ which equals 1,358, is 
greater than C', which equals 1,260, and 
so obviously cannot be part of the subset 
sum, that is, the rod is too long to fit into 
the knapsack. Hence x l0 ' must be 0. The 
next-largest element in the vector is a 9 \ 
or 679, which is less than C', or 1,260. As 
the special property of a ' dictates, the 
sum of the eight remaining elements of 
a' must be less than 679, and so those 
elements alone cannot “fill” the knap- 
sack of length 1,260. Therefore 679 
must be part of the sum, and x 9 ' must be 
1. Since x 9 ' equals 1 and x 10 ' equals 0, 
the equation C' = a' • x' can now be re- 
written as 1,260 = 3*!' + 5*2' + 1 1*3' 
4- 20x 4 ' + 4 lx 5 ' 4- 83* 6 ' 4- 169* 7 ' 4- 
340 x 8 ' 4- 679 4- 0. Subtracting 679 from 
both sides of the equation reduces the 
problem to determining which of the 
elements ai \ ..., a 8 ' add up to 1,260 — 
679, or 581 (the length of the still emp- 
ty part of the knapsack). Since o 8 ' 
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KNAPSACK PROBLEM is an NP problem from which a trapdoor 
one-way function can be derived. The cylinder and set of rods shown 
at the left illustrate the classic knapsack problem: Given a knapsack, 
or cylinder, of length Cand a set of n rods all of the same diameter as 
the knapsack but of lengths a\, 02 ,* •• » find a subset of rods that 
fills the knapsack completely. This problem is in the class NP because 
the best method known for solving it is not much more efficient than 
trying all 2 n possible subset sums to see which one equals Q and yet a 
guessed solution can be checked with no more than n additions. Even 
in the small 10-rod examples shown here, finding a solution {color) 
by this method requires the testing of 2 10 , or 1,024, different subsets, 
and when n is, say, 100, the task becomes impossible. An ordered set 
of numbers such as a = {a 1 ,..., a n ) or x = (x 1 ,..., x„) is called a vec- 
tor, and the “dot” product of two vectors a*x is defined as the sum 
a\X\ + ... + a„x n , Given a fixed vector a, a function of the variable 
vector x can be defined as the dot product of x with the vector a, that 
is,/(x) = a*x. If the elements xi,...,x n of x are all equal to 0 or 1, then 
inverting this function, or determining which value of x gives a par- 
v ticular sum C = a* x, is equivalent to solving the knapsack problem 

for Cand the given values of ai,..., <z„. The function is one-way be- 


cause the knapsack problem is in the class NP. Moreover, a trapdoor 
can be built into the function, because for certain vectors, or sets of 
rods, a' = (ai',..., a n ') the knapsack problem is easy to solve. In these 
sets, such as the one shown in the problem at the right, each element 
is greater than the sum of the preceding elements. To determine which 
subset fills the knapsack begin with the last, or largest, element a n '. 
In this case a\ g equals 1,358, which is greater than 1,260, the length 
of the cylinder C\ Hence a\g is not in the subset (that is, in the sum 
C' = a\x 1 -I- ... +flio'xio, x 10 equals 0). But n 9 ', which equals 679, 
is smaller than 1,260, and since the remaining elements in the set add 
up to a number even smaller than a 9 ', it must be in the subset (that 
is, xg equals 1). The problem is now reduced to filling the remainder 
of the cylinder, whose. length is C' — ag, or 581, with a subset of the 
remaining rods a i',..., a s', and so on. Continuing in the same way, 
the problem can be solved (or the function based onlt-can be invert- 
ed) with no more than 10 comparisons and 10 subtractions. As col- 
ored lines indicate, there is a way to move back and forth between 
the easy and hard knapsack problems. Parameters for effecting that 
transformation are secret trapdoor information for trapdoor one-way 
function based on knapsack problem ( see illustration on page 155). 


equals 340, which is less than 581, it is 
included in the sum. Thus jc 8 ' is 1. Con- 
tinuing in this manner, it can be deter- 
mined that the x* is the original message 
block x = (0, 0, 1, 1, 1, 0, 1, 1, 1, 0). 

Constructing an easy knapsack vec- 
^ tor such as a' is not difficult, but how 
does the receiver get from a' to a and 
back again? To accomplish that feat he 
chooses two large random numbers w 
and m and generates the vector a accord- 
ing to the equation a, = a/vv modulo m, 
for each i from 1 to n. The expression 
“modulo m” indicates that a, should be 
taken to be the remainder left when a^w 
is divided by m. For example, if w equals 
764 and m equals 2,731, consider the 
element a A ' of vector a'. Since a 4 ' equals 
20, di'w equals 15,280. Dividing 2,731 
into 15,280 gives 5 with a remainder of 
1,625, so that a 4 , or a 4 V modulo m, 
equals 1,625. 

Modular arithmetic plays a large part 
- in public-key cryptosystems, because it 
turns smooth, or continuous and contin- 
ually increasing or decreasing, functions 
into discontinuous ones, introducing a 
large factor of confusion into the calcu- 
lation of their inverses: the values of 
x that correspond to particular values 
of J{x). Consider the simple function 
Ax) = 4x. As x increases, the value of 
Ax) increases in a very orderly way; for 
example, 7(3) is 12,7(4) is 16,7(5) is 20, 
7(6) is 24 and so on. As a result if one is 
given a specific number y = Ax), it is not 
difficult to determine x by a process of 
guesswork and elimination without ever 
actually solving the equation y = 4x. In 
other words, if a function is smooth, 
then no matter how hard solving explic- 
itly for x is, it may still be possible to 
determine the value of x for a particular 
Ax) through trial and error. For exam- 
ple, if Ax) equals 20, one might guess 
that x equals 3. Then Ax) would equal 
12, which is too small, so that the correct 
value of x must be greater than 3. If, 
however, x = 6 were tried, Ax) would 
equal 24, which is too large, so that x 
must be less than 6, and so on. Such 
smooth functions present problems in 
public-key systems, which depend on 
functions for shielding numbers. 

C onsider what happens, however, if 
modularity is added. When Ax) 
equals, say, 4x modulo 7, as x increases, 
the value ofTW jumps around in a quite 
haphazard way. For example, 7(1) is 4, 
7(2) is 1,7(3) is 5,7(4) is 2,7(5) is 6 and 
7(6) is 3. Even in such a simple case it is 
clear that this function that includes 
modularity provides far better protec- 
tion for the values of x than the one 
that does not include it. In the case of 
the trapdoor knapsack system, applying 
^ modularity in the generation of the diffi- 
cult knapsack vector a prevents the re- 
covery of a ' for anyone who does not 
know the secret transformation parame- 
ters w and m. 

For anyone who does know w and m. 
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however, the conversion back into a' 
would not be difficult at all. In fact, with 
those parameters it is quite easy to con- 
vert the difficult knapsack problem in- 
volving the vector a and the transmitted 
ciphertext message C into an easy knap- 
sack problem involving the vector a ' 
and a new sum C' and then to solve 
(or decipher) for x. To begin with, it is a 
simple mathematical exercise to calcu- 
late the inverse of w modulo m, that is, 
the number w~ l that when multiplied by 
w modulo m gives 1. There is a fast pro- 
cedure for finding inverses in modular 
arithmetic (based on Euclid’s algorithm 
for finding the greatest common divisor 
of two numbers) that makes this calcula- 
tion efficient, even in a realistic system in 
which w and m are on the order of 50 
digits long. (Incidentally, for this pur- 
pose w and m must be chosen to be rel- 
atively prime; if they had a common 
factor, or divisor, there would be no 
multiplicative inverse of w modulo m.) 

To decipher the message C, then, the 
receiver first calculates C' = Cw - 1 mod- 
ulo m. To see what this operation ac- 
complishes remember that C equals 
a x xi + ... + a n x n . In modular arith- 
metic, as in ordinary arithmetic, it is per- 
missible to multiply both sides of an 
equation by the same quantity so that 
Cw~ l modulo m equals fl^r 1 4- ... 
+ a n x n w- l ,or a\W- l Xi + ... + a n w- l x n , 
modulo m. The vector a was generated 
from the vector a\ however, by com- 
puting Qi = fl,'w modulo m for each /. 
Hence a/vv - 1 equals a,' modulo m for 
each i, that is, a x w~ l equals a x mod- 
ulo m. a 2 w~ l equals a 2 modulo m and 
so on. Substituting these last results 
into the preceding equation, one discov- 
ers that C\ or Cw~ l modulo m. equals 
a x x x + ... + Qn x n , or a'*x. 

In other words, calculating Cr 1 
modulo m is all that is needed to convert 
the problem of deciphering C into an 
easy knapsack problem. The receiver 
simply applies his secret vector a ' to 
solve the knapsack problem for C' and 
recover x. For those who do not have the 
secret information h> and m. however, 
there is no easily implemented method 
known of transforming C into C' (or 


translating the difficult vector a into the 
easy vector a') for efficient deciphering. 

In the 10-element example I have 
been discussing it is easy to verify that 
the numbers wand m relating a and a ' or 
Cand C' are respectively 764 and 2,73 1, 
and that w _1 is 1,605. Notice that in this 
public-key system the trapdoor infor- 
mation w, m and a ' is virtually synony- 
mous with the secret deciphering key 
w _1 , m and a'. The same is not true of 
all public-key cryptosystems. (In practi- 
cal cryptosystems based on the trapdoor 
knapsack scheme it may be desirable to 
introduce additional security by iterat- 
ing the conversion process, so that the 
public and the private vectors differ by 
several transformations and several in- 
termediate vectors.) 

Since only the numbers w, or w 1 , and 
m and the vector a ' must be kept secret, 
all users of the trapdoor knapsack sys- 
tem can employ the same public com- 
puter program for generating both their 
public key and their secret parameters. 
Utilizing a random-number generator 
to provide the program with a ', w and m 
will serve to ensure that each user’s pair 
of keys is distinct. Similarly, a public 
program could be made available that 
would encipher messages and, when it 
was supplied with the secret parameters, 
decipher messages. Therefore no mathe- 
matical ability is required to implement 
the trapdoor knapsack cryptosystem. 
Any useful public-key system must have 
this same characteristic. 

T he second public-key system I shall 
describe is based on an NP problem 
that has an even longer and more dis- 
tinguished history of resisting solution 
than the knapsack problem: the problem 
of factoring a large number, or finding 
all the primes that divide it evenly. (A 
prime number is an integer that is di- 
visible only by 1 and itself.) This prob- 
lem has been studied since the time of 
the ancient Greeks, and although some 
progress has been made with it, factor- 
ing a 200-digit number would still take 
the most powerful modern computer 
about a billion years. To give a smaller 
example, consider the problem of fac- 


toring 29,083. Calculating by hand, it 
would take the better part of an hour to 
find the only two factors of this number: 
127 and 229. It takes less than a minute, 
however, to verify that those factors are 
correct, suggesting that the problem of 
factoring is a good basis for the con- 
struction of a one-way function. Figur- 
ing out how to build a trapdoor into 
such a function presents more difficult 
obstacles, but they have been overcome 
by Rivest, Shamir and Adleman, the de- 
signers of the RS A system. 

To generate a public enciphering key 
each user of the RSA public-key system 
(or rather a program run on his comput- 
er) chooses two large random prime 
numbers p and q. The product n of these 
two numbers and another random num- 
ber £are placed in the public file as the 
user’s enciphering key. To apply the key 
a sender first converts his message into a 
string of numbers, which he then breaks 
into blocks P x , P 2t — In this instance it 
is not necessary to use binary numbers, 
but each plaintext number P, must be 
between 0 and n — 1. (The enciphering 
and deciphering functions operate mod- 
ulo n and so can distinguish between 
numbers in this range only.) Locating 
the user’s public key (E, n) in the directo- 
ry, the sender computes for each plain- 
text number P, the ciphertext number 
C, = Pi E modulo n. For example, if p 
equals 5, q equals 1 1 and E equals 3, 
then the user’s enciphering key is (3, 55), 
and to encipher the plaintext informa- 
tion P = 2 a sender would compute 
C=2 3 = 8 modulo 55. (Because the 
numbers in this example are so small 
modularity does not yet play a role.) 

The RSA public-key cryptosystem is 
based on the fact that although finding 
large prime numbers is computationally 
easy, factoring the product of two such 
numbers is at present computationally 
infeasible. (It is important to understand 
that because there are computational- 
ly efficient primality tests, determining 
whether a number is prime is much easi- 
er than factoring a number of about the 
same size.) To decipher a ciphertext Ci, 
C 2 ,..., the user employs n and a secret 
deciphering key D derived from the 
prime factors p and q of n. 

T o understand how the deciphering 
key is derived it is necessary to con- 
sider the number ( p — 1)(<7 — 1): a well- 
known object in number theory called 
Euler’s totient function. This function, 
which is written <f>(n), is defined as the 
number of integers between 1 and n that 
have no common factor with n. It is not 
hard to see that if n equals pq, then <f>(n) 
equals (p — 1)(<7 — 1). The number 4>(n) 
is introduced here because in functions, 
such as the one used for enciphering in 
the RSA system, that are calculated 
modulo n, arithmetic in the exponent is 
carried out not modulo n but modulo 
4>(n). An example may make this idea 
clearer. Consider the expression 2 11 
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MODULAR ARITHMETIC is employed in many cryptosystems to further disguise informa- 
tion already transformed by an enciphering function. As is shown here, the value of an integer 
a modulo another integer b is defined as the remainder left when a is divided by b. For ex- 
ample, 27 modulo 11 equals 5, because 11 goes into 27 twice with 5 left over. The usefulness 
of this operation is shown for a simple enciphering function C = P 3 . As P increases, the con- 
tinuous way P 3 increases makes it possible to invert the function, or determine what value 
of P corresponds to a particular value of C, even though there is no simple formula for ex- 
pressing P as the cube root of C. More precisely, a value of P that gives too small a value of 
C is itself too small, whereas value of P that gives too large value of C is itself too large. When 
modularity is added, however, so that C' equals P 3 modulo 11, values of function are thrown 
into disarray. As P increases, C' changes in a quite discontinuous way, effectively shielding P. 


In Saronno, 

all we think about is love. 



That’s all we’ve been thinking about for 450 years. Because this is where the 
drink of love began. With Amaretto di Saronno. If what you’re drinking 
doesn’t come from Saronno, how do you know it’s love? 
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modulo 10. Since 2 11 is equal to 2,048 
and dividing 10 into 2,048 leaves a re- 
mainder of 8, the expression is equal to 
8. Note that calculating by first reduc- 
ing the exponent modulo 10 does not 
give the correct answer, since 1 1 modulo 

10 equals 1, and 2 1 equals 2. On the 
other hand, 10 equals 2X5, and so 
4>(10) equals (2 — 1)(5 — 1), or 4. Since 

11 modulo 4 equals 3, calculating 2 11 
modulo 10 by first reducing the expo- 
nent modulo 4 gives the correct answer: 
23, or 8. 

Now, the properties of <f>(n) guarantee 
that there is always a multiplicative in- 
verse D of E modulo 4>(n), that is, ED 
modulo (p — 1)(<7 — 1) is equal to 1. In 
fact, there is always a fast, computa- 
tionally easy method for deriving D. (It 
is not hard to see that in the example 
discussed above, where p equals 5, q 
equals 1 1 and is equals 3, ( p — \)(q — 1) 
equals 40 and D equals 27, because 
3 X 27 is one more than 2 X 40.) This 
inverse D is the secret deciphering key 
for the RSA system. To decipher a ci- 
phertext the receiver computes Cp 
modulo n for each ciphertext number 
C,. Ci equals PP modulo n. so that Cp 
modulo n equals ( Pp ) D , or Pp°, modulo 
7 i. Because arithmetic in the exponent is 
performed modulo <f >( tz) and ED modu- 
lo 4>(n) equals 1, PP° modulo n equals 
Pi 1 , or In other words, raising the 
ciphertext to the Z)th power and re- 
ducing modulo 7i recovers the plaintext 

Hence in the RSA cryptosystem mod- 
ularity plays a dual role, not only block- 
ing the recovery of the secret decipher- 
ing key D from the public enciphering 
key ( E n) but also, by its presence in the 
enciphering algorithm, preventing a di- 
rect recovery of the plaintext from the 
ciphertext The difficulty of computing 
D from the public information (E n) 
depends on the difficulty of factoring n, 
or of deriving p and q from n. Once again 
the example I have given is too small to 
provide real secrecy, but since factoring 
large numbers is a very difficult prob- 
lem, the difficulty of breaking the cipher 
blows up rapidly as n increases. When p 
and q are chosen so that n is about 200 
digits long, it appears to be computa- 
tionally infeasible for anyone but the in- 
tended receiver to decipher the message. 

Just as the deciphering procedure 
(without the trapdoor information) 
must be computationally infeasible, the 
public enciphering procedure and secret 
deciphering procedure must be compu- 
tationally efficient. At first the imple- 
mentation of the RSA system appears to 
present some practical problems in this 
area. Consider the simple example in 
which the plaintext number P = 2 was 
transformed into the ciphertext number 
C= 8. To apply the deciphering algo- 
rithm P= C D modulo 7i it is necessary to 
calculate S 27 modulo 55 (which does in- 
deed equal 2). Multiplying 8 by itself 27 
times is, however, a cumbersome proc- 
ess involving large numbers and a great 
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FLOW OF INFORMATION in the trapdoor knapsack cryptosys- 
tem is shown at the left. The corresponding transformations of the 
first block of plaintext HO are shown at the right. In this public-key 
system based on the knapsack problem each receiver (by means of a 
random-number generator) selects a secret vector a' = (ai',..., a n ') 
with the property that each element is greater than the sum of the pre- 
ceding elements and also selects two large random numbers w and m 
with no common factors (7). The numbers w and m are the trapdoor 
parameters for converting the secret “easy” vector a ' into a ‘‘difficult” 
public vector a = a n ) by means of the equations ai = a\w 

modulo m t a 2 = modulo m and so on. The difficult vector a is 

transmitted to the sender over an insecure channel or is listed in a 
public directory as the receiver’s enciphering key (2). To encipher a 
plaintext P a sender begins by converting it into a binary string ac- 
cording to, say, the five-bit binary alphabet given at the top of the 
illustration on page 146 (J). The sender then looks up the receiver’s 
public key and breaks the string into blocks of n binary digits (4). For 
example, in the system shown at the right (in which the numbers are 


far too small to provide real secrecy) there are 10 elements in the pub- 
lic vector, and so the binary string is divided into blocks of 10 bits 
each. Every block is enciphered by forming its dot product with a (5), 
that is, if the first block is x = (xi,..., x n ), the first ciphertext number 
Ci equals a*x, or aixi + ... + flnX n , and so on. The ciphertext num- 
bers are transmitted to the receiver over an insecure channel. The 
receiver recovers, say, x by calculating first ( 6 ) and then Ci' = 

C\w- 1 modulo m (7). (The number w 1 is the inverse of w modulo 
m, the number that when multiplied by w gives 1 modulo m.) Remem- 
ber that a i equals aiV modulo m, a 2 equals ai'w modulo m and 
so on, and therefore a\ equals oiH' -1 modulo m, a 2 ' equals 
modulo m and so on. Hence Ci', or CiW 1 modulo m, which equals 
flixiiv- 1 4* ... + fl n x n w-i, or aiw~ 1 xi+ ... +fl,H»- 1 x„, modulo m, 
equals a^xi + ... + a„'x n . In other words, Ci' equals a # *x, and the 
difficult knapsack problem of recovering x from Ci and a has been 
converted back into the easy problem of recovering x from C\ and 
a'. Only receiver, who possesses trapdoor information w and m and 
knows secret vector o', can effect transformation and recover x ( 8 ). 
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many computational steps. In more re- 
alistic RSA systems, where D would be a 
200-digit number, this procedure would 
be impossible to carry out, even on a 
very powerful computer. 

Fortunately there is a much faster 
method for calculating functions of this 
kind. First the binary expansion of the 
exponent (the expression of the expo- 
nent as a sum of powers of 2) is utilized 
to break up the function into a product 


of smaller factors; for example, 27 
equals 1+2 + 8+16, and so 8 27 
equals 8 X 8 2 X 8 8 X 8 16 . Now, by cal- 
culating the smaller factors first and 
then taking their product, the number of 
operations required can be limited. For 
example, 8 2 modulo 55 can be evaluated 
with only one modular multiplication 
(an ordinary multiplication followed by 
an ordinary division), since 8 X 8, or 64, 
modulo 55 equals 9. Then 8 4 , which 


is equal to 8 2 X 8 2 , can be evaluated 
with an additional modular operation, 
9 X 9 = 81 = 26 modulo 55, and so on. 
(Substituting the value of 8 2 modulo 55, 
namely 9, into the larger factors pre- 
vents the size of the numbers involved 
in the computation from blowing up.) 
Hence only seven modular multiplica- 
tions are needed to calculate S 27 : four to 
evaluate 8 2 , 8 4 , 8 8 and 8 16 and three 
more to multiply 8 times 8 2 times 8 8 



RSA PUBLIC-KEY CRYPTOSYSTEM is based on the problem of 
factoring a large number, or finding all the prime numbers that divide 
it evenly. (A prime number is an integer that is divisible only by 1 and 
itself.) As is shown at the left, each receiver in the RSA system gener- 
ates two large random prime numbers p and q, which serve as his se- 
cret trapdoor parameters, and a large random number E (/). There are 
computationally efficient tests for identifying primes such as p and 
q, but when these numbers are sufficiently large, it is computationally 
infeasible to derive them from their product pq, or n. The receiver lists 
E and n as his public deciphering key (2). To encipher a plaintext P 
the sender first converts it into a string of numbers, using the decimal 
alphabet shown at the bottom of the illustration on page 146 (3), and 
then breaks the string Into blocks of equal length Pi, 
each number P, in this series is less than n (4). Each block is convert- 


ed into a ciphertext number by raising it to the £th power and then 
reducing modulo n, that is, Ci equals Pj E modulo n, C 2 equals P 2 E 
modulo n and so on (5). The ciphertext numbers C 1 , C 2 , • • • are transmit- 
ted over an insecure channel. Arithmetic in the exponent of a function 
that is calculated modulo n must be carried out modulo <f>(n), where 
<j>(n) equals (p — lXq ~~ 1), and so the receiver utilizes p and q to deter- 
mine 4>(n) = (p — lXq ~ 1) and then D = E~ 1 modulo <f >(n), which 
serves as his secret deciphering key (6). To convert C 1 , C 2 , . . . back into 
plaintext numbers the receiver raises each one to the Dth power and 
reduces it modulo n (7). Because Cp modulo n equals {Pp) D , or Pp D f 
modulo n and ED modulo <j>(n) equals 1, Pp D equals P* modulo n. In 
other words, this operation inverts the enciphering transformation, re- 
covering the plaintext number blocks Pi, P 2 , . ... In the example shown 
at right the values of E, p and q are too small to provide real security. 


times 8 16 . Even when D is a 200-digit 
number, this method results in a deci- 
phering procedure that is quite efficient, 
requiring at most 1,330 modular multi- 
plications rather than the 10 200 opera- 
tions necessary in the straightforward 
approach. 

T he RSA system is a public-key cryp- 
tosystem that allows the direct gen- 
eration of a digital signature: a number 
that can be appended to a ciphertext 
message to solve the problems of au- 
thentication mentioned above. To be of 
real service such a signature must be 
easy for the sender to generate and for 
the receiver to check but must be com- 
putationally infeasible for a third party 
or the receiver himself to generate. Of 
the various methods for generating digi- 
tal signatures the simplest involves ex- 
ploiting the inverse relation of the pub- 
lic enciphering and secret deciphering 
keys by reversing their roles. For exam- 
ple, in the RSA system the sender can 
utilize his own secret deciphering key D 
as a signing key, to compute the sig- 
nature Si = Pfi modulo n for each P, 
in the series of plaintext numbers Pi, 
P 2t ... that represent a message to be 
transmitted. (Remember that each P* is 
chosen to be between 0 and n — 1.) Once 
the signatures S u S 2 ,... have been gen- 
erated the sender enciphers each signed 
message block (P„ 5,), using the receiv- 
er’s public enciphering key. This second 
operation has nothing to do with signa- 
ture generation; it simply ensures the 
privacy of the communication. 

The receiver uses his own secret key 
to recover the signed message block (P„ 
Si), and then he looks up the sender’s 
public key (£. //) and computes Si E mod- 
ulo n for each z. D and E effect inverse 
operations regardless of the order of 
their application, and so since Si equals 
Pfi modulo n, Sp modulo n should be 
equal to P,. If that is the case, the receiv- 
er can be sure that the message comes 
from the apparent sender and that it has 
not been tampered with. Since the digi- 
tal signature depends on both the sender 
and the message sent, it offers a level of 
security different from that of a written 
signature, which is the same for all mes- 
sages. With the digital signature neither 
the receiver nor a third party can alter 
the message without destroying the va- 
lidity of the signature. (When the mes- 
sage to be sent is long, rather than sign- 
ing each submessage separately it may 
be desirable to compress the message 
and calculate a single signature S; that 
compression can be effected in such a 
way that S still depends on the entire 
message P.) 

T he traditional difficulties of solving 
the knapsack and factoring prob- 
lems can be taken as an encouraging 
sign that the public-key cryptosystems 
based on these problems are in practical 
terms secure. A past history of intracta- 


bility cannot, however, be considered a 
proof that a system is secure. It is always 
possible, if unlikely, that at some time in 
the future computationally efficient gen- 
eral methods for solving these problems 
will be found. An even greater hazard is 
that a method will be discovered for 
breaking one of the cryptosystems with- 
out solving the corresponding general 
problem. For example, it is possible that 
although solving most regular knapsack 
problems is computationally infeasible, 
there is an easy way to solve the much 
smaller set of trapdoor knapsack prob- 
lems. Similarly, it may be possible to 
recover the plaintext enciphered by the 
RSA technique without finding the fac- 
tors of n. (Michael O. Rabin of the He- 
brew University of Jerusalem has re- 
cently shown, however, that in the case 
where the enciphering exponent E is 2, 
the security of the RSA system is not 
simply dependent on the difficulty of 
factoring n but is actually equivalent to 
it. This finding constitutes an important 
first step toward the goal of developing 
provably secure systems.) 

Cryptography has not yet advanced to 
the stage where it can prove the compu- 
tational security of even a conventional 
system or a one-way function. Hence it 
is not surprising that there is no way to 
establish the security of the public-key 
systems, which are based on the more 
complex trapdoor one-way functions. It 
is hoped, however, that over the next 
decade or two complexity theory will 
advance to the point where such proofs 
can be formulated. Some progress has 
been made in this direction through 
the study of a special subset of the NP 
problems. 

Remember that the NP problems are 
ideal candidates for one-way functions 
because finding a solution to them is 
computationally difficult but checking 
a proposed solution is computationally 
easy. Some of these problems such as 
the knapsack problem (but not factor- 
ing) belong to the subset of the NP prob- 
lems that is called NP-complete. The 
,NP-complete problems have the added 
property that if any one of them had an 
easily implemented method for finding 
general solutions, then all the NP prob- 
lems would. Now, all cryptanalytic 
problems — problems of breaking cryp- 
tosystems — are in the class NP, since it is 
always easy to check the validity of a 
proposed key. Therefore if any NP- 
complete problem can be solved rapid- 
ly, it follows that all cryptographic sys- 
tems can be broken easily. Roughly 
speaking, then, if the security of a cryp- 
tosystem could be shown to be equiva- 
lent in difficulty to an NP-complete 
problem, it would be as secure as any 
cryptographic system can be. 

One flaw in this type of evaluation is 
that complexity theory deals with the 
“worst case*’ computational difficulty of 
solving a problem, whereas cryptogra- 
phy is concerned with the average or 


typical difficulty of solving a problem. 
For example, in current complexity the- 
ory a problem whose solution requires 
10 1 * 000 operations 1 percent of the time 
but only 100 operations 99 percent of 
the time is considered to be difficult. Ob- 
viously a cryptosystem that can be bro- 
ken 99 percent of the time is worthless. 
Workers in complexity theory are aware 
of this shortcoming and are currently 
developing more suitable measures of 
computational difficulty. 

Although factoring is not an NP-com- 
plete problem, it has through the years 
largely resisted the attack of some of 
the best mathematical minds. That is 
why Rabin’s proof, which establishes 
an equivalence between the difficulty of 
factoring and breaking an RSA scheme, 
is an extremely important result. Until 
such time as the security of proposed 
cryptosystems can be formally evaluat- 
ed, however, it is a worthwhile (and in- 
tellectually challenging) exercise to try 
to break them. 

I n electronic communications systems, 
as in any new technology, there is a 
potential for misuse. For example, the 
danger of foreign or domestic intelli- 
gence organizations spying on Ameri- 
can citizens who rely on these systems is 
a real one. It has recently been revealed 
that U.S. microwave telephone traffic 
is being monitored in at least one for- 
eign embassy in Washington. In the late 
1960’s the U.S. Government’s “Opera- 
tion Shamrock’’ intercepted internation- 
al Telex communications to and from 
“targeted” individuals, including anti- 
war activists. If such excesses are to be 
limited, both legal and technical safe- 
guards are needed. 

There is always a trade-off between 
the rights of citizens to privacy and the 
desire of government intelligence agen- 
cies to limit the availability of secure 
cryptosystems. A conflict in this area 
has recently arisen concerning the Fed- 
eral Data Encryption Standard, a con- 
ventional cryptosystem issued by the 
National Bureau of Standards for non- 
military encryption purposes. The Na- 
tional Security Agency convinced the 
International Business Machines Cor- 
poration, the company that designed the 
standard, to reduce the key size to 56 
bits. Although there is controversy sur- 
rounding the issue, I believe the reduc- 
tion in key size was meant to weaken the 
standard so that if it were ever employed 
by a foreign organization, it could be 
broken by the National Security Agen- 
cy. Issues similar to this one will certain- 
ly arise as the new public-key systems 
become commercial realities. It is to be 
hoped that these issues will be decided 
by an open discussion of the relative 
needs of the intelligence community and 
the citizenry rather than, as appears to 
have been the case, by the unilateral 
decision of the intelligence community 
that its needs take precedence. 
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RAYMOND DEVORET (“Bacterial 
Tests for Potential Carcinogens*’) is on 
the research staff of the Enzymology 
Laboratory at the Centre National de 
la Recherche Scientifique (C.N.R.S.) at 
Gif-sur- Yvette in France. He obtained 
his medical degree at the University of 
Paris Medical School and then worked 
part-time as a physician specializing in 
occupational radiation hazards. At the 
same time he took a degree in physics 
from the University of Paris and studied 
the effects of alpha rays on the bacteri- 
um Escherichia coli at the Radium Insti- 
tute. In 1961 he was appointed to a full- 
time position in the C.N.R.S. Since then 
Devoret’s research has been devoted to 
elucidating the mechanism of induction 
of dormant viruses in bacteria and the 
mechanism of chemical carcinogenesis. 

HAROLD P. FURTH (“Progress 
toward a Tokamak Fusion Reactor”) 
is professor of astrophysical sciences at 
Princeton University and associate di- 
rector of the Princeton Plasma Physics 
Laboratory. He did graduate work in 
solid-state and high-energy physics at 
Harvard University, receiving his Ph.D. 
in 1960. He then joined the controlled- 
fusion research effort at the Lawrence 
Livermore Laboratory, becoming head 
of a group studying the toroidal mag- 
netic-confinement approach to a fusion 
reactor. In 1967 he moved to Princeton, 
where he has initiated a number of ma- 
jor toroidal confinement experiments 
and done extensive research on the 
theory of plasma instabilities. His best- 
known publication is a poem in The New 
Yorker that describes an encounter be- 
tween matter and antimatter, exempli- 
fied by the meeting of Dr. Edward Tel- 
ler and Dr. Edward Anti-Teller. Furth 
would like to acknowledge the assis- 
tance of Robert Goldston in the prepa- 
ration of his article. 

ANDREW M. T. MOORE (“A Pre- 
Neolithic Farmers* Village on the Eu- 
phrates”) is Wainwright Fellow in Near 
Eastern Archaeology at the University 
of Oxford. He studied modern history at 
Oxford as an undergraduate and then 
was trained in archaeology at the Insti- 
tute of Archaeology of the University of 
London. In 1969 he was given a scholar- 
ship at the British School of Archaeolo- 
gy in Jerusalem, and for the next two 
years he lived in the Near East studying 
museum collections and visiting ancient 
sites. In 1973 he was awarded a Wain- 
wright fellowship at Oxford; he ob- 
tained his Ph.D. last year. Moore has 
done extensive field work in the Near 
East: he took part in excavations at Jeru- 
salem directed by the late Dame Kath- 
leen Kenyon in 1966 and those at Knos- 
sos in Crete directed by J. D. Evans in 


1969. From 1972 to 1973 Moore was in 
charge of the major excavation at Tell 
Abu Hureyra in Syria that is described 
in his article. This fall Moore will be a 
visiting professor in Old World prehis- 
tory at the University of Arizona. 

THOMAS F. GOREAU, NORA I. 
GOREAU and THOMAS J. GOREAU 
(“Corals and Coral Reefs”) have done 
pioneering research in coral-reef biolo- 
gy and ecology in Jamaica. Thomas F. 
Goreau died in 1970. The son of the 
photographers Fritz and Grete Goro, he 
was born in Germany, which his parents 
left in the early 1930*s for France and 
soon thereafter the U.S. After his gradu- 
ation from Clark University he did 
graduate work in ecology at Yale Uni- 
versity under G. Evelyn Hutchinson. 
Goreau first became interested in coral- 
reef ecology while serving in the 1947 
Bikini Scientific Resurvey, although the 
first opportunity to pursue this line of 
research did not arise until 1951, when 
he moved to Jamaica to join the faculty 
of physiology in the medical school of 
the University of the West Indies. On 
receiving his Ph.D. in 1956 he instituted, 
under the auspices of the New York Zo- 
ological Society, a long-term research 
project on Jamaican coral reefs that 
continued until 1967. In March, 1970, 
shortly before his death, he opened a 
new marine laboratory at Discovery 
Bay on the northern coast of Jamaica. 
Goreau’s widow, Nora Goreau, is cur- 
rently senior research fellow in marine 
biology at the University of the West 
Indies. Born in Panama, she was educat- 
ed at the University of Panama Law 
School, the University of Iowa and De- 
Paul University. She then did graduate 
work in neurophysiology at the Univer- 
sity of Chicago. Thomas J. Goreau, 
their eldest son, is a Ph.D. candidate in 
geology at Harvard University. He did 
his undergraduate work in physics and 
astronomy at the Massachusetts Insti- 
tute of Technology and obtained his 
master’s degree at the California Insti- 
tute of Technology in 1972. He then 
studied biology and oceanography at 
Yale, the Woods Hole Oceanographic 
Institution and Harvard. 

WILLIAM HERBST and GEORGE 
E. ASSOUSA (“Supernovas and Star 
Formation”) have collaborated on stud- 
ies of star formation with optical and 
radio telescopes. Herbst is assistant pro- 
fessor of astronomy at Wesleyan Uni- 
versity. He did his undergraduate work 
in astrophysics at Princeton University 
and received his Ph.D. in astronomy 
from the University of Toronto in 1974. 
After a postdoctoral fellowship at York 
University he was a fellow for two years 
of the Carnegie Institution of Washing- 


ton. Herbst joined the Wesleyan faculty 
in 1978. Assousa is research professor 
of astrophysics in the Department of 
Terrestrial Magnetism of the Carnegie 
Institution. A Palestinian Arab, he was 
born in Jerusalem in 1936 and attended 
the American Friends School at Ramal- 
lah in Jordan. He then came to the U.S. 
to finish his education, obtaining his 
bachelor’s degree at Earlham College, 
his master’s degree at Columbia Univer- 
sity and his Ph.D. in experimental nucle- 
ar physics from Florida State Universi- 
ty in 1968. That year he was appointed 
a Carnegie fellow; two years later he 
joined the staff of the Carnegie Insti- 
tution. Assousa directs the Foundation 
for Arab-Israeli Reconciliation (FAIR), 
which seeks to improve communication 
and cooperation between Arab and Is- 
raeli professionals and scholars. 

MARTIN E. HELLMAN (“The 
Mathematics of Public-Key Cryptogra- 
phy”) is associate professor of electrical 
engineering at Stanford University. He 
received his B.E. at New York Universi- 
ty and his Ph.D. from Stanford in 1969. 
After teaching for two years at the Mas- 
sachusetts Institute of Technology he 
joined the Stanford faculty. He is best 
known for his invention of public-key 
cryptography in collaboration with his 
students Whitfield Diffie and Ralph 
Merkle; he has also done research on 
information theory, error-control cod- 
ing and statistics. Heilman wishes to ac- 
knowledge the National Science Foun- 
dation’s support of his work. 

KENNETH G. WILSON (“Problems 
in Physics with Many Scales of Length”) 
is James A. Weeks professor of physical 
science at Cornell University. He ob- 
tained his bachelor’s degree at Harvard 
University and his Ph.D. from the Cali- 
fornia Institute of Technology in 1961. 
The renormalization-group theory, his 
principal contribution to physics, result- 
ed from h\s attempt to understand quan- 
tum field theory. He is currently apply- 
ing improved computer technology to 
extend the capabilities of the renormali- 
zation-group approach. His pastimes in- 
clude international folk dancing and de- 
tective stories. Wilson also has to his 
credit a 4 : 17 mile. 

DAVID CREWS (“The Hormonal 
Control of Behavior in a Lizard”) is as- 
sociate professor of biology and psy- 
chology at Harvard University and an 
associate of the Museum of Compara- 
tive Zoology. He did his undergraduate 
work at the University of Maryland and 
received his Ph.D. in animal behavior 
from Rutgers University. He then did 
postdoctoral research at the University 
of California at Berkeley and at Har- 
vard, where he was appointed to the fac- 
ulty in 1976. Crews’s interest in reptiles 
and their behavior goes back to his 
childhood in Florida. 
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by a third party. In other words, these 
systems make it possible to dispense 
with the transporting of signed docu- 
ments and to depend exclusively on the 
electronic transmission of information. 

If an eavesdropper had unlimited 
computing resources, he could break a 
public-key system and recover a plain- 
text. The enciphering operation E is 
public and the number of possible plain- 
texts is immense but finite, and so E 
could be applied to each plaintext until 
the intercepted ciphertext was repro- 
duced. Since such an attack requires an 
impossibly large amount of computing 
time, however, the public-key systems 
can still be computationally secure. 
There are also similar techniques for 
deriving the secret deciphering key D 
from the public enciphering key E t but 
once again the computational infeasibil- 
ity of implementing those algorithms 
provides the systems with practical se- 
curity. To put it another way, the sys- 
tems are based on what are called trap- 
door one-way functions. A one-way 
function is an easily computed function 
for which it is computationally infeasi- 
ble to compute the inverse function. A 
trapdoor one-way function is an easily 
computed function for which it is com- 
putationally infeasible to compute the 
inverse function unless certain specific 
information that was employed in the 
design of the function is known. Hence 
like a trapdoor in the floor of a motion- 
picture haunted house, such functions 
are easy to go through in one direction, 
but unless one possesses the special 


trapdoor information (analogous in the 
haunted house to which brick to pull or 
which panel to push) the reverse process 
takes an impossibly long time. 

T he search for trapdoor one-way 
functions on which to base public- 
key cryptosystems led naturally to the 
class of problems that complexity theo- 
ry has identified as nondeterministic, 
polynomial-time problems, or NP prob- 
lems. For the purposes of these crypto- 
systems the most important property of 
the NP problems is that at present all the 
algorithms that are known for finding 
general solutions to them call for rapid- 
ly increasing amounts of time, although 
a proposed solution can be quickly 
checked. In other words, as the size n of 
such a problem increases, the number of 
computational steps required to solve 
the problem increases in proportion to, 
say, an exponential function of n such as 
2 n , whereas the number of steps re- 
quired to check a possible solution in- 
creases in proportion to a polynomial 
function of n such as n 2 . Exponential 
functions increase far more rapidly than 
polynomial ones, so that a method of 
solution that requires exponentially in- 
creasing amounts of computer time is 
impossible to implement for even mod- 
erate-size problems. For mathemati- 
cians concerned with cryptography the 
appeal of the NP problems resides in the 
fact that although it might take someone 
billions of years to find a solution to 
such a problem, once he found it he 
could convince the rest of the world of 


its validity in seconds. As a result these 
problems lend themselves readily to the 
construction of one-way functions. And 
for the NP problems on which public- 
key cryptosystems have been based it 
has been possible to build trapdoors into 
the functions as well. 

I shall describe here two public-key 
cryptosystems based on NP problems: 
the trapdoor knapsack system, devel- 
oped by Merkle and me, and the RSA 
system, developed by Ronald Rivest, 
Adi Shamir and Leonard Adleman at 
the Massachusetts Institute of Technol- 
ogy. The first of these cryptosystems is 
based on a well-known NP problem 
called the knapsack or subset sum prob- 
lem: Given a knapsack of length Cand a 
set of n rods all of the same diameter as 
the knapsack but of lengths a lf a 2 ,... t 
a n , find a subset of the rods that com- 
pletely fills the knapsack. To put it an- 
other way, given a set of numbers a i, . . . , 
a n and a sum C. determine which of the 
numbers add up to C. 

The public-key cryptosystem based 
on this problem operates as follows. The 
sender begins by converting his message 
into a string of binary numbers. For ex- 
ample, five bits (binary digits) might be 
allocated for each letter, number or 
punctuation mark in the plaintext, pro- 
viding an alphabet of 2 6 , or 32, charac- 
ters: A = 00000, B = 00001, C = 00010 
and so on. Once the message is in binary 
form the sender consults a public direc- 
tory of enciphering keys, which lists an 
ordered set of n numbers a = (a lt a 2 , . . . , 
a n ) for each user of the system. This set 
is called the user’s trapdoor knapsack 
vector. 

In mathematics an ordered set of n 
numbers is called an /i-dimensional vec- 
tor, and the “dot,” or scalar, product 
of any two vectors of the same dimen- 
sion is defined as follows: for vectors 
a = (a u . . . , a n ) and b = {b lt . . . , b n ) the 
dot product a • b equals a\bi + a 2 b 2 + 
. . . 4- a n b n . This form of vector multipli- 
cation is the basic operation of the enci- 
phering algorithm in the trapdoor knap- 
sack system. To encipher the string of 
binary numbers that represents his mes- 
sage the sender first breaks the string 
into blocks of n bits, and for each block 
x = (xi, x 2 , . . . , x n ) he forms the dot 
product C = a • x of that block with the 
public enciphering vector a, that is, C = 
a 1*1 + o 2 x 2 + ... + a n x n . 

The sum C is the information the 
sender transmits over the insecure chan- 
nel, so that any eavesdropper is con- 
fronted with the task of recovering x 
from C and the numbers a i,..., a n . In 
what follows it will be convenient to re- 
fer to the elements of a vector x as the 
Xi s (or to the elements of a vector a as 
the flf's), where the values of i are taken 
to be the integers from 1 to n. Since each 
Xi is equal to either 0 or 1, one can see 
that the problem of recovering x from C 
is equivalent to solving the knapsack or 
subset sum problem for these values of 



IN A PUBLIC-KEY CRYPTOSYSTEM there is no need of a secure channel for the distribu- 
tion of keys. As is shown here, each receiver generates two distinct keys: a public key E for im- 
plementing the public enciphering procedure G and a secret key D for implementing the pub- 
lic deciphering procedure H, which is the inverse of G. The keys E and D are related in the 
sense that they serve to specify inverse transformations Ge and Ho* but given E it is computa- 
tionally infeasible to derive D : computing D from E would require thousands or even billions of 
years on the largest computer imaginable. Hence the receiver may communicate his encipher- 
ing key E over an insecure channel, as is shown here, or even list it in a public directory with- 
out compromising his deciphering transformation. A person who wants to send the plaintext P 
to the receiver operates on it with the receiver’s enciphering transformation Ge to generate a 
ciphertext Q or Gg{P% This ciphertext is transmitted over an insecure channel, and the re- 
ceiver operates on It with the deciphering transformation Ho to recover the plaintext P, or 
Ho(C ). As long as the deciphering key D is kept secret there is no way for an eavesdropper 
to decipher the transmitted message. The challenge in designing such a system is to find general 
procedures G and H for which pairs of inverse keys E and D are easily generated but for 
which it is computationally infeasible to compute D from E A source of such pairs is a group 
of mathematical problems that are said to be in the class NP {see illustration on opposite page). 
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NEW APPLE ] [ SOFTWARE 

All Programs written in Integer BASIC for 16K 

Cassette Disk 

-SOFTBALL/TANK $14.95 $18.95 

by Dave Redhed 

Two Arcade Games in Low Res for 

two players. 

-CHARACTER TRAITS/PSALMS 
by Dave Redhed 

Two classic CAI programs. CT is based on 
the card game Character Clues. 

Psalms are scriptural quotations dependent 
on your mood. 

-TOUCH TYPING TUTOR 

by Bill Massena 

Improve your typing. Four lessons. Three 
preprogrammed lessons; Finger builders. General 
Typing, and BASIC Language. One you can input 
yourself. Tracks your speed and error count 

-FOLLOW THAT TUNE $11.95 $15.95 

by Bill Massena 

A musical game of "Simon Said." For up to 
4 players. See your Dealer or Write: 


$14.95 $18.95 




COMPUTER SERVICES COMPANY 
14109 S.E. 168th St. 
RENTON, WA 98055 

Washington residents add 5.3% sales tax 
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Let's face it, there is information which just isn’t meant 
for everyone who uses or has access to your computer. 
Consider payroll or tax records. Until now, the only way 
to secure these and other valued or privileged records 
meant either "pulling the plug” or locking the discettes in 
a safe. Who wants to run to the safe each time an update 
needs to be made? At last a simple, effective and 
convenient method of data security is available — 
ENCODE/DECODE. 

ENCODE/DECODE is a complete software security 
system for your micro/mini computer. ENCODE/DECODE 
can provide both the level of security and privacy you 
desire without loss of ON-LINE immediate access to data. 
ENCODE/DECODE is a sophisticated coding program which 
transforms data stored on disc into coded text which is 
completely unrecognizable. When it's time to access the 
file, it is decoded and ready for use. This means that data 
can be on-line and current with all your other files, yet 
only the user defined combination can retrieve it. 

Multiple Security levels: Using ENCODE/DECODE you 
can easily maintain several layers of security through the 
use of separate combinations. This means that each file 
can have its own ‘password’ allowing only those with the 
'password' access to the file. 

ENCODE/DECODE uses a complex coding algorithm 
which supports over 987,000,000 possible combinations 
'hus making accidental or 'exhaustive search' methods of 

2 Coding virtually impossible. Briefly, an encoded data file 
will appear scrambled and completely unintelligible until 
you decode it. Both encoding and decoding require the 
user defined combination. 


Uses for ENCODE/DECODE are unlimited. Below are a 
few examples: 


data bases . 
payroll files 
programs 
text 


general ledger 
correspondence 
tax records 
mail lists 


inventory 
accounts payable/ 
receivable 
& more 


ENCODE/DECODE is available in two versions. 
ENCODE/DECODE I provides a level of security suitable 
for normal use. ENCODE/DECODE II provides enhanced 
security for the most demanding needs. Both versions 
come supplied on discette and with a complete user's manual. 


ENCODE/DECODE I : $ 50.00 
ENCODE/DECODE II: $100.00 
manual for above: $ 15.00 


Minimal system requirements: 24K CP/M; 16K disc for TRS-80 


formats: CP/M 8” SOFT SECTORED. N0RTHSTAR CP/M 
AND TRS-80 DOS 

All Orders and General Information: 

SUPERS0FT ASSOCIATES 
P.0. BOX 1623 
CHAMPAIGN. IL 61820 
(217) 344-7596 

Technical Hot Line: (217) 384-0847 
(answered only when technician is available) 




OEM and dealer inquiries invited, overseas orders add $5.00 shipping. 

Circle 94 on inquiry card. 


*CP/M REGISTERED TRADEMARK DIGITAL RESEARCH 
NTRS-80 TRADEMARK TANDY CORP 
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Patent Granted for Micro processo 
To Encrypt Software on a Chip 


By Brad Schultz 

CW Staff 

SEATTLE — A means of 
thwarting software piracy — 
the illicit copying and black- 
marketing of proprietary code 
— may be available soon as a 
microprocessor chip. 

Robert M. Best of Seattle 
was recently granted U.S. pat- 
ent 4,168,396 for his design of 
a "crypto-microprocessor" 
(CM) that decrypts and Exe- 
cutes software. 

Piracy can be a lucrative en- 
terprise if the plundered soft- 
ware runs on a large number 
of installed CPUs without 
needing significant modifica- 
tion. The problem is acute for 
vendors and for users that 
routinely ship programs re- 
presenting considerable in- 
vestments. 

Some user software, such as 
computer-aided design and 
manufacturing (CAD/CAM) 
routines, offer major competi- 
tive advantages — as- long as 
they are not intercepted by ri- 
val firms. 

Micro Modifications 

Best's CM scheme entails 
modifying existing microcom- 
puters, but the changes would 
not dampen their performance 
significantly, he maintained. 

Following the scheme, soft- 
ware houses would 'encrypt 
programs before delivering 
them to customers. Each cus- 
tomer would have a CM in- 
stead of an ordinary micropro- 
cessor in the systems sup- 
ported by the program. 

The CM would feature a cir- 
cuit dedicated to decrypting 
each instruction of the en- 
crypted program as that in- 
struction was fetched for exe- 
cution, Best explained. 

The CMs disseminated to the 
program's official user base 
and the device used by the 
software house to encrypt the 
program would all have equi- 


valent encryption keys. This 
would allow bona fide users to 
exchange' or remotely share 
access to the program. Best 
pointed out. 

But prospective pirates could 
not decipher the software un- 
less they also obtained the ap- 
propriate CM. By tapping 
transmission lines or hijacking 
shipments of the program, pi- 
rates could only derive incom- 
prehensible encrypted data. 
The CMs could not output 
comprehensible decrypted 
listings of the routine. 

Pirates and legitimate users 
could make multiple copies of 
the encrypted program deliv- 
ered by the software house. 
But only an authorized user 
could run those copies, Best 
. emphasized. 

Therefore, pirates could not 
run copies of the program on 
other microprocessors, nor 
disassemble copies for use in 
competing software products. 
Proprietary data files could 
also be safely distributed in ci- 
pher along with a CM unit to 
anonymous users. Best con- 
tinued. 

Best's patent describes sev- 
eral encryption methods, in- 
cluding a polyalphabetic sub- 
stitution cypher that report- 
edly employs a number of 
small tables of randomly 
generated bits stored on the 
CM chip. "Each deciphering 
cycle overlaps a bus-ad- 
dressing cycle, so additional 
clock cycles are not required," 
Best observed. 

That means CMs may prove 
competitive in performance 
with conventional micropro- 
cessors, he asserted. 

Currently employed full- 
time as a Cobol programmer, 
Best is hunting in his spare 
time for a semiconductor man- 
ufacturer to implement the 
CM design. ''Production pro- 
cessors could be available 
within two years by modify- 


ing existing microprocessor 
designs," he indicated. 

Best reportedly has 14 basic 
patent applications pending in 
the U.S., Japan, the UK and 
other nations for a second 
type of CM that would exe- 
cute programs encrypted in 
8-byte blocks in compliance 
with the federal Data Encryp- 
tion Standard. 
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For installations 
where system 
security and data 
integrity are 
more than mere 
buzz words. 

Shockwatcrr i$ a precise impact deiecior *hicft can 
prevent the use oi damaged disk packs and cartridges 
Media Recovery Inc 1435 Roundtable Dallas. TX 75247 

Call toll tree: 1-800-527-9497. 




OMSI PASCAL 


PDP-11 and LSI-11 

Fast • Efficient • Supported 

A full standard compiler for 
RT-1 1, RSX-1 IM/D, and RSTS/E. 
Features embedded assembler 
code. FORTRAN interface, over- 
lays. direct memory access, and 
Interactive symbolic debugger. 
In use since 1975 — 300 users. 


^ ^minicomputer 

S©TO»(S inc 

2340 SW Canyon Road Portland. Oregon 97201 
(503)226-7760 TWX 910-464-4779 

PO*lS*-M NXtl.RSX-11 WORSTS 
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